On Wed, May 16, 2012 at 1:02 AM, Thor (Hammer of God) <t...@hammerofgod.com>wrote:
> Regardless, if you already know the username and password for the email, > it doesn’t matter anyway no does it? You could always get the mail via > IMAP or POP or whatever options were configured in gmail. There wouldn’t > be any need to go to the web interface in the first place. > > Hi, The verification process bypassed which the OP is talking about is basically put in place to protect victims of phishing attacks. The phishing attacker generally may not be in the same location as that of the victim. Gmail web interface asks questions (mentioned my OP) so that the attacker wont just get into the account with stolen credentials. Also note that IMAP and POP3 can be disabled (dont remember if both are disabled by default). So this bypass presents an interesting approach to attacker in case of IMAP being enabled. Regards, (If debugging is the process of removing bugs, then programming must be the process of putting them in --Edsger Dijkstra) Shreyas Zare Sr. Information Security Researcher Secfence Technologies http://www.secfence.com Follow me on twitter @shreyasonline <https://twitter.com/#%21/shreyasonline> Check out Secfence | Blog [http://blog.secfence.com]
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/